> And this can be done from userland with the preload: the "workaround"> from the preload assumes you've already executed malicious code, which> is outside of your protection scope.> > What am I missing?

ScriptsAttempts to screen contentExec occuring after ld.so is compromised

Is there anything however that cannot be done with SELinux if you addedthe ability to block an open and kick it upwards (including the open ofan exec binary)

It seems you would then get a transition from a label of 'trusted' to'untrusted_unverified' and an open of untrusted_unverified can (dependingon the SELinux rule) then block, trap upwards and continue according to auserspace response.

At that point all the questions like 'what do I want to scan for' becomeSELinux questions and we already have all the technology to do stuff like'only scan for samba' or 'only scan for httpd and cgi' and do itefficiently.

The cache then becomes the labels which are already part of the fs andour existing labelling and context management.